Two-Factor Authentication FAQ: 2FA at Amherst College

Please help us improve this FAQ. Send your questions to askit@amherst.edu. 

---

Do I need a smartphone to use Duo?

No. You can enroll any phone, including a flip phone, your college phone, and your home phone. You can also enroll an iPad or iPod Touch, or any Android tablet. You can also use specialized devices such as a hardware token (provides a Duo passcode on demand) or security key (plugs into your computer and lets you authenticate with a tap of a button).

Can I enroll more than one phone? Can I enroll more than one type of device?

Yes. We strongly recommend you enroll at least two devices. For faculty and staff, enrolling your office phone is a great backup for those mornings you forget your smartphone at home.

What if I've forgotten my smartphone and need to log into Moodle on a projection computer in a classroom?

Call the Help Desk from any available phone and request a temporary bypass code. You will have to provide a number found on your Amherst ID card to verify your identity in order to receive a bypass code.

I've already enrolled a device (my phone) in Duo. How do I now enroll a second phone or another device?

You can enroll as many devices as you wish when you initially enroll in Duo. Afterward, you need to do the following to enroll additional devices:

1. Open an incognito or private browsing window on your browser and login to any Duo-protected Amherst service such as the website, Gmail, or Moodle.
2. When you get to the Duo screen, DO NOT perform the second-factor authentication. Instead, on the left-side of the Duo screen, click "Add a new device."
3. You'll then be prompted to perform the second factor authentication. Do so now, after which you'll be able to add new devices. Just follow the prompts to add the new device.

I just traded in my old smartphone; how do I enroll my new one?

Just follow these instructions: https://www.amherst.edu/mm/576614

I share a college phone with others in my department. Can we all enroll the same phone?

No. Registering a shared phone is not allowed as it can lead to confusion as to who is requesting the MFA approval. If you do not have your own office phone or a cell phone, we recommend requesting a hardware token using the DUO Accommodation Form.

I sometimes log into our department's email account. Do I have to enroll this account?

No. 2FA only works with person accounts. 

My bank lets me "remember this computer" so I don't always have to enter a second factor to login. Does Duo have this option?

A checkbox on the Duo screen lets you have Duo remember the current web browser (Chrome, FireFox, Safari, etc) you are using for seven days. Future logins using that browser on the same computer won't require 2FA for the next seven days. Logins from the same computer using a different browser will require 2FA.

The "remember me" option doesn't work unless I enable third-party cookies in my browser, and I don't want to do this generally. What address do I use if I want to make an exception for cookies from Duo?

Use the following address: [*.]duosecurity.com

I'm travelling abroad and won't have cell service. How can I log in?

Cellular service is not required to receive and acknowledge a push from the Duo system. If you have a Wifi connection on your smartphone or tablet, you can use Duo. Also, the Duo Mobile app on your smartphone or tablet can always generate a passcode that you can enter to satisfy a login request; it doesn't need to be connected via cellular or Wifi to do so. Finally, before you leave, you can have Duo generate a set of 10 one-time passcodes and send them to you via SMS. Print these out and use them one at a time to satisfy login requests. Note that requesting a new batch of passcodes will invalidate any unused codes from a previous request.

How do I get the 10 one-time passcodes?

At any Duo login screen, click the "Enter a Passcode" option. You'll then see a button labelled "Text me new codes." Click it to have Duo send the one-time passcodes.

I don't see the Duo screen because I previously checked the "Remember me for 7 days" option. How do I get the one-time passcodes?

Use an incognito window (Firefox calls it a Private Window) on your current browser; the "remember me" option doesn't work in incognito/private mode.

I'm studying abroad and plan to swap out the SIM in my phone for a local one. Can I still use Duo?

If you swap out the SIM card on your phone it can't be used with the DUO push or call me options, but the passcode generator in the Duo Mobile app will still produce valid passcodes that you can use to log in.

I forgot my phone, lost my list of one-time codes, and need to login to email...and I'm in Kyoto. What do I do?

Contact AskIT. Help Desk staff have the ability to generate a one-time code for you. 

Did I mention it's 2 PM in Kyoto?? That's midnight in Amherst! 

Have you visited the Fushimi Inari Shrine? It's very relaxing.

Why isn't ACDATA included in the list of protected web services? 

ACDATA is aging, proprietary technology, which is why we're moving to Workday. It would be prohibitively expensive to get ACDATA to work with Duo, and there would be no guarantee that it would work reliably.

Why not wait until all college systems can work with Duo?

Because it is better to have some systems protected than none at all. 

Who will be required to use 2FA?

All employees and all students will be required to use 2FA. New students will have to enroll once they are on campus, and new employees will be required to enroll in the first two weeks after their start date. New alums will be unenrolled once their Amherst mailboxes are turned off the December after they graduate.

Would you please list ALL the ways I can use Duo to authenticate on an Amherst login screen?

• Tap an affirmative response to a Duo Push on an enrolled iOS or Android device. This is the preferred method.
• Press “1” on the keypad of any enrolled phone (landline or smartphone) in response to a call from the Duo system. This "Call me" option costs the college extra money.
• Enter a six-digit passcode generated by the Duo Mobile app on an enrolled iOS or Android device.
• Enter a six-digit passcode generated by a hardware token.
• Enter a six-digit passcode generated previously by Duo and sent via SMS to an enrolled iOS or Android phone. 10 such codes are sent at a time and can be printed out or stored by the you for later use. Codes are used sequentially, with each code being burned after one use.
• Enter a nine-digit bypass code generated by a person on the Help Desk and communicated to you.
• Tap an enrolled USB security key on your computer when it flashes. Security keys only work with the Google Chrome browser.
• Tap an enrolled Apple Touch ID device on your iPhone or MacBook Pro.

Will the College compensate me for using my personal smartphone to authenticate on College systems?

No, because there is no cost associated with using Duo push when you are connected via WiFi, and never any cost when you choose the Enter Passcode option.

What about students and employees who don't have a cell phone they can use for Duo, and who don't have access to a landline? 

IT will provide hardware tokens or USB keys to people who need them. You can make a request using the DUO Accommodation Form.